Router DNS Hacks Deliver Porn Ads to Mainstream Sites

MALWAREVILLE—Digital security firm Ara Labs has uncovered a clever "ad fraud scheme" that uses malware to hijack router DNS settings to deliver unwanted ads for porn and other products to mainstream sites. It's a definite variation on an old theme, notes Ara's Sergei Frankoff. "Malware that hijacks router DNS settings is not new," he wrote yesterday on the company blog. "However, exploits developed in recent years that enable hijacking through the use of Javascript alone are making this a widespread problem. Ara Labs has uncovered a new ad-fraud scheme where fraudsters are using hijacked router DNS settings to intercept Google Analytics tags and replace them with pornography and other ads. For victims whose router has been compromised this has the effect of injecting ads and pornography into every site that they browse that uses Google Analytics." The article that follows provides a detailed history of router DNS hacking, the methodology behind the current spate of hacks, and some suggestions how a consumer can prevent their router from being hacked. Not surprisingly, the most prevalent type of vulnerability is one that can be most easily corrected. "As we have seen above, the router DNS hijacking malware is taking advantage of default credentials on the routers, and bugs that allow unauthenticated configuration requests to be sent to the routers," observes Frankoff. "The best protection available is to ensure the firmware on your router is fully patched, and to change the default credentials." By credentials, he means the default password for the router. ExtremeTech explains more clearly, "While some routers have flaws in their web interfaces that allow for backdoor access no matter what, a large fraction of attacks against home routers succeed because people don’t change the near-ubiquitous 'admin/admin' login and password combination." The site further elaborates, "If your router has a known issue that allow for unauthenticated DNS changes (as some D-Link routers do), investigate whether it’s possible to load a version of DD-WRT or one of the Tomato forks. If the manufacturer of your device isn’t providing updates that resolve these problems, third-party firmware can, in some cases, resolve the issue." Solutions for impacted advertisers is more complicated. Frankoff explains, "Unfortunately, as we identified in our analysis above, some of the traffic sourced by these exchanges comes from iframes that are injected into websites using routers with hijacked DNS settings. As an advertiser you don’t want your ads being pushed through hacked routers nor do you want your ads displayed on publishers’ sites who source traffic through hacked routers. Due to the nature of this scheme there is no technology that is going to detect this automatically, you need to rely on intelligence." While these sorts of hacks appear to be opportunistic rather than utterly destructive, they nonetheless underscore an area of continuing vulnerability that anyone with a router in their home or office—meaning pretty much everyone—should find very unsettling. It also underscores the fact that hackers remain willing to exploit any and every weakness made available to them, the number of which is sure to climb as the Internet of Things continues apace. Image: Illustration by Ara Labs of the router DNS hack.